Annexes to COM(2023)323 - Annual report to the Discharge Authority on internal audits carried out in 2022 - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2023)323 - Annual report to the Discharge Authority on internal audits carried out in 2022. |
|---|---|
| document | COM(2023)323 |
| date | June 20, 2023 |
2. Statistical data on Internal Audit Service recommendations
The Internal Audit Service issued 172 recommendations stemming from its 2022 audit work. As illustrated below, the majority of these recommendations (71%) were rated important, with two recommendations rated critical.
172
Source: European Commission, Internal Audit Service
In 2022, the auditees accepted 167 of the 172 recommendations issued by the Internal Audit Service. Two recommendations were partially accepted 7, and three recommendations were rejected 8. For all (partially) accepted recommendations, the auditees drafted action plans. These action plans were submitted to the Internal Audit Service, who subsequentially assessed them as being satisfactory or requested a revised action plan.
RECOMMENDATIONS ISSUED BETWEEN 2018 AND 2022
The Internal Audit Service addressed a comprehensive overview of the follow-up of recommendations which were overdue by more than six months to the Audit Progress Committee. In addition, the Internal Audit Service prepared quarterly reports on the implementation of recommendations overdue by more than six months, which were discussed during Audit Progress Committee preparatory group meetings.
As illustrated below, at the cut-off date of 31 January 2023, out of a total of 854 (partially) accepted recommendations 9 made by the Internal Audit Service during the period 2018-2022, 635 (74%) were assessed by the auditees as implemented 10 . This leaves a total of 219 recommendations (26%) that remain open.
Source: European Commission, Internal Audit Service
Of the 219 open recommendations remaining open at the cut-off date, two are rated as critical, 62 are rated as very important, and 155 are rated as important.
Of the open recommendations, 46 are overdue (not implemented by the originally agreed date). These overdue recommendations represent 5.4% of the (partially) accepted recommendations. Of the overdue recommendations, three very important are classified as long overdue (a recommendation is long overdue when it is still open more than six months after the original implementation date). This is a considerable decrease from previous years, attesting to the strict follow-up policy of the Internal Audit Service in the assessment of the implementation of its recommendations. These very important long overdue recommendations represent 0.4% of the total number of (partially) accepted recommendations in the period 2018-2022 (compared to 0.8% in the previous reporting period). There are no very important long overdue recommendations issued before 2018.
Source: European Commission, Internal Audit Service
Overall, the Internal Audit Service considers the implementation of its recommendations to be satisfactory and comparable to previous reporting periods. This state of play indicates that the Commission services are diligent in implementing the critical and very important recommendations, thereby mitigating the risks identified by the Internal Audit Service. Nevertheless, attention should be paid to the long overdue individual recommendations rated very important.
Part 3 of the annex to this report summarises these very important and long overdue recommendations.
4. Conclusions based on the audit work performed in 2022
1. Conclusion on performance audits
Contributing to the Commission’s performance-based culture and greater focus on value for money, the Internal Audit Service carried out performance and comprehensive audits11 in 2022 as part of its strategic audit plan.
The resulting audit conclusions concerned: (1) EU policy implementation; (2) internal control systems in relation to legality and regularity; (3) preparedness for and early implementation of the EU budget; (4) performance management; (5) cooperation with third parties implementing policies and programmes; (6) information technology; and (7) other processes.
In line with its methodology and best practices, the Internal Audit Service approaches performance in an indirect way, by assessing the performance of departments in implementing policies, programmes and actions by reference to the risks associated with them. With this approach, it aims at ensuring that
Directorates-General and services have developed appropriate performance frameworks, performance measurement tools, and monitoring systems.
The following sections set out the Internal Audit Service’s conclusions on the various performance aspects it focused on in its 2022 audits.
1. Performance management
A robust performance management system is essential to ensuring that objectives and performance indicators are effectively set and in line with the Commission priorities, that they are regularly monitored and reported on, and that the activities of the Commission deliver the maximum performance and added value. Political stakeholders and the public increasingly require clear evidence of the Commission’s delivery on political and operational objectives.
The Commission is thus committed to apply a strong performance framework. The Communication on the Performance Framework for the EU budget under the 2021-2027 multiannual financial framework comprises the necessary tools and procedures to set objectives, and measure and monitor progress towards them. It is within this framework that the Internal Audit Service conducted four audits in the area of performance management.
1. To monitor its performance and adequately report to the public and other stakeholders, the Commission needs to have reasonable assurance that its performance information on EU financial programmes is reliable. The Internal Audit Service conducted an audit in the Directorate-General for Budget and the Commission’s Secretariat General. It assessed the adequacy of the control system in place to support the Commission in building assurance on the reliability of performance information on its financial programmes. The Internal Audit Service acknowledged that the overall control approach in relation to reliability of performance information cannot be applied in the same way as it is for legality and regularity aspects, partially explained by the challenging process through which performance information is collected, processed and reported, given the large quantity and diversity of such information, as well as the number of actors involved in the management of such information, particularly under shared and indirect management. In the light of this very challenging context, the Internal Audit Service concluded that although the Commission has made progress in improving the performance framework of the EU budget and in implementing the control system necessary for building assurance on the reliability of reporting of performance information on its financial programmes, a number of key improvements are needed to further strengthen this system. In particular, one very important weakness was identified related to the control activities, including gaps or inconsistencies in corporate guidance in relation to assessing the reliability of performance information (which are reflected in the way related controls are reported) and quality controls at central level not always implemented as intended, in particular the quality reviews and consistency checks concerning the annual activity reports.
2. Based on the state of play of the EU’s research and innovation framework programmes for the periods 2014-2020 and 2021-2027, the Internal Audit Service assessed specific features of the performance frameworks of Horizon 2020 (the effective implementation of the monitoring and reporting system) and Horizon Europe (the design of the performance framework). The audit covered the Directorates-General for Research and Innovation, for Climate Action, for Energy, for Mobility and Transport, the European Climate, Infrastructure and Environment Executive Agency, and the Joint Research Centre 12. The design of the performance framework and of the monitoring and reporting system for Horizon Europe and its operationalisation status are overall adequate and in line with the stage of the programme life cycle. However, the Internal Audit Service noted one very important weakness related to the effectiveness of the reporting system for Horizon 2020.
Finally, two audits on performance management were conducted in the following Directorates-General:
3. Eurostat and
4. Taxation and Customs Union.
In both cases (3) and (4) the performance management systems were adequately designed, efficiently and effectively implemented, enabling the planning, monitoring and reporting on the achievements of the key policy objectives
2. EU policy implementation
In 2019, the President of the Commission defined the political priorities for a five-year period. A key responsibility of the Commission is to translate these priorities into concrete actions. The different Directorates-General and services play an active role in designing and implementing EU policies. They do so by, among others, proposing EU legislation, assisting Member States in its implementation, ensuring that EU law is complied with, and ensuring the Union’s external representation for matters other than foreign affairs and security policy. Five audits conducted by the Internal Audit Service assessed the performance of the respective Directorates-General in some of these domains. Four of the five audits revealed that significant improvements are necessary, and the Internal Audit Service issued several very important recommendations in 2022 addressed to the audited Directorates-General 13.
1. One audit assessed the adequacy and effectiveness of the European Fund for Sustainable Development guarantee scheme. The Internal Audit Service recognised the efforts invested by the Directorates-General for International Partnerships, and for Neighbourhood and Enlargement Negotiations to manage this guarantee scheme, which is a new and unique instrument. Despite significant challenges related to the establishment of the new implementation modality, the need to negotiate several horizontal clauses and the reorientation to address the challenges of the COVID-19 pandemic, agreements for the whole amount of the instrument were signed within the deadline established by the fund’s regulation. However, the governance, assurance building, contractual and performance monitoring arrangements need to be significantly enhanced to strengthen the steering, implementation, and reporting processes.
1. A second audit conducted in the Directorates-General for Trade, for Agriculture and Rural Development, and for Environment, focused on the processes in place to ensure the efficient and effective implementation of bilateral trade agreements. It revealed that the Directorate-General for Trade took action to strengthen the implementation and enforcement of bilateral trade agreements, focusing on the coordination with external stakeholders and the cooperation with the other Commission services. However, further enhancements are needed in the Directorate-General for Trade in relation to the contribution of ex post evaluations and studies to the implementation of trade agreements, and to the documentation of information on the state of play of existing trade barriers.
2. A third audit aimed at assessing the processes put in place by the Directorates-General for Agriculture and Rural Development, and for Health and Food Safety, and by the European Anti-Fraud Office14 to prevent and detect food fraud. Food fraud may not only hinder the proper functioning of the internal market but also constitute a risk to human, animal, or plant health, to animal welfare or to the environment in the EU. Although overall, the processes put in place by the two Directorates-General are adequate, there remain very important weaknesses affecting their efficiency and effectiveness. These concern the allocation of tasks linked to organic food products; the screening of notifications to identify potential fraud cases; the monitoring of potential issues in Member States’ control systems; and the functionalities of the related information technology systems.
3. A fourth audit assessed the internal control system in the Directorate-General for Agriculture and Rural Development for the implementation of the national support programmes in the wine sector. Although, overall, the Directorate-General has adequate controls for the effective and efficient implementation of the national support programmes in the wine sector, a significant weakness remains. It relates to the performance monitoring of these programmes (namely the guidance provided to Member States on the performance data they need to report to the Commission, and the assessment of these data by the Directorate-General for Agriculture and Rural Development).
4. Studies are a key input in the policy-making process. The Internal Audit Service concluded that the internal control system in place in the Directorate-General for Mobility and Transport ensures that the different stages of the lifecycle of studies are effectively and efficiently managed, and compliant with the applicable legislation and corporate guidance.
3. Internal control systems: legality and regularity
Providing reassurance to the College, as well as to the Directorates-General and services, on the efficient and effective implementation of the internal controls as regards financial management remains one of the priorities of the Internal Audit Service. Based on an in-depth risk assessment and the resulting 2021-2023 strategic audit plan, the Internal Audit Service performed, in 2022, seven audit engagements in this domain. Through these audits, it emerged that significant improvements are needed, and several recommendations were issued 15.
1. The introduction, in 2016, of the 'estimated overall amount at risk at closure' represented a major step towards improving the Commission’s reporting on financial management, as it complements the reporting on programmes with multi-annual control systems by giving additional information on the estimated amounts at risk the Commission expects to remain once all estimated corrective actions will have been implemented. In this context, the Internal Audit Service conducted a limited review on the reporting of the Commission’s preventive and corrective measures (‘corrective capacity’) in the Directorates-General for Budget, for Agriculture and Rural Development, for Employment, Social Affairs and Inclusion, for International Partnerships, for Regional and Urban Policy, for Research and Innovation, and in the European Research Executive Agency. The Internal Audit Service acknowledged the ongoing efforts by the Directorate-General for Budget to improve the quality and clarity of the reporting on the preventive and corrective measures in the annual management and performance report for 2021. It concluded that the corporate instructions for the reporting on the preventive and corrective measures are overall well designed and effectively implemented by the sampled Directorates-General and services. However, there remain very important weaknesses on the internal controls in place (at both corporate and local levels) to ensure that simple, clear and reliable information is reported by the Directorates-General in their annual activity reports, and by the Directorate-General for budget in the Commission’s annual management and performance report. These concern the availability of quantitative data and qualitative information to effectively substantiate the Commission’s overall corrective capacity and the clarity and consistency of the reporting on corrections in the annual activity reports and annual management and performance report.
2. The Recovery and Resilience Facility is a temporary instrument through which the Commission raises funds to help Member States implement reforms and investments in line with the EU’s priorities. The Internal Audit Service assessed the control and audit strategies of the Directorate-General for Economic and Financial Affairs for the Recovery and Resilience Facility. It acknowledged that the progress in setting up the control and audit strategies has been a challenging task due to the complexity of the operational environment and of the instrument’s legal framework, as well as pressure on the resources to approve the national recovery and resilience plans and make the first payments. However, there remain very important weaknesses on the design of these controls that may hamper the assurance on the legality and regularity of the payments and on the effectiveness of the control systems in Member States in protecting the financial interests of the Union. These weaknesses related to the methodology for suspension of payments in case of non-achievement of milestones and targets, the application of corrections stemming from ex post audits, the definition of criteria to conclude on the compliance of the control systems of Member States and the methodology for defining the scope of system audits.
3. An audit in the Directorate-General for European Civil Protection and Humanitarian Aid Operations assessed the design and implementation of controls in grant management, from the award to final payment and ex post audits, related to the Union Civil Protection Mechanism. Although the control strategy for the management of grants is adequately designed, a very important weakness exists in its implementation related to the non-disclosure of the criteria for the selection of beneficiaries in direct award procedures and the justification for the use of such procedures.
4. European Union funding, under the neighbourhood and the world budget heading, may be provided to beneficiaries across all continents. The capacity of EU delegations is however limited, and it is not possible for the external action Directorates-General to examine each expenditure item in final payment requests. Therefore, beneficiaries and contractors are contractually required to provide expenditure verifications by an external auditor. These contractual expenditure verifications have the potential to prevent a high number of legality and regularity errors from occurring before the Commission makes a payment and have therefore a prominent feature in the internal control chain. Previous audits of the Internal Audit Service revealed that contractual expenditure verifications may not always be a sufficiently reliable control, as they were not always able to detect ineligible expenditure before a final payment. In 2022, the Internal Audit Service assessed the design and implementation of the controls over contractual expenditure verifications in the Directorates-General for International Partnerships, for Neighbourhood and Enlargement Negotiations and in the Service for Foreign Policy Instruments. The Internal Audit Service noted that the Directorate-General for International Partnerships made significant efforts to implement the contractual expenditure verification process, which is also used by the Directorate-General for Neighbourhood and Enlargement Negotiations and by the Service for the Foreign Policy Instruments. However, the design of this process is not fully adequate and hence it is only partially effective and efficient in serving as a reliable source of assurance on the legality and regularity of payments. In this context, the Internal Audit Service identified two very important weaknesses related to the objective and design of the process and the monitoring of feedback on the contractual expenditure verifications.
5. The Directorate-General for Informatics has a leading role in the procurement procedures related to information and communication technology, covering not only the European Commission but also other EU institutions and bodies. The Internal Audit Service performed an audit on public procurement in the Directorate-General for Informatics. Considering this challenging role, the Internal Audit Service concluded that the Directorate-General designed and implemented an adequate and effective governance, risk management and internal control framework for its procurement activities. However, there remains a significant weakness regarding its efficiency, in particular when it comes to steering information and communication technology procurement procedures towards more competitive and economic methods.
6. The General Data Protection Regulation16 put data protection compliance at the centre of organisations’ governance and introduced a risk-based approach to assessing data processing operations with the aim of strengthening the fundamental right of every person to the protection of their data. To ensure a coherent and harmonised approach to personal data protection across the EU institutions, bodies, offices and agencies, an internal data protection regulation, aligned with the principles and rules of the General Data Protection Regulation, was adopted in 201817. Its main objective is to ensure that the EU institutions, bodies, offices and agencies process personal data fairly and transparently. Executive agencies process large amounts of personal data. Considering the Commission’s key role in the adoption of data protection regulations at EU level, it is important that executive agencies also lead by example in applying the new EU data protection rules. The Internal Audit Service performed an audit in five executive agencies 18 and in the Directorate-General for Research and Innovation to assess whether they put in place an effective and efficient internal control system for the protection of personal data, in compliance with the key provisions of the internal regulation on data protection. The Internal Audit Service concluded that the executive agencies, supported by the Directorate-General for Research and Innovation, have put in place a control system for the protection of personal data, which aims to comply with the key provisions of the applicable regulation. However, while recognising that the Directorate-General for Research and Innovation set up a solid governance structure to help address common questions on the management of personal data and has overall made progress in implementing a control system for the protection of personal data, there remain significant weaknesses affecting its effectiveness and efficiency. These weaknesses concern the formalisation of the joint controllership agreement for the processing of personal data and the transfer of personal data to third countries via the Funding and Tenders portal.
7. Finally, the Internal Audit Service conducted a review of the internal control framework of the Directorate-General for Taxation and Customs and concluded that the Directorate-General performed an adequate assessment of the presence and functioning of its internal control principles and components.
4. Preparedness for and early implementation of the EU budget
The Multiannual Financial Framework 2021-2027 combined with the NextGenerationEU recovery instrument represent an unprecedented amount to help repairing the economic and social impacts caused by the COVID-19 pandemic and aid the transition towards a modern and more sustainable Europe. The associated risks related to the management of this budget and the achievement of its objectives are inherently high. This led the Internal Audit Service to include, in its 2022 audit plan, four audits covering the initial steps in planning and implementing the EU budget. The Internal Audit Service issued several recommendations, two of which rated as critical, stemming from the weaknesses identified.
1. The audit conducted in the European Innovation Council and Small and Medium-sized Enterprises Executive Agency and the Directorates-General for Research and Innovation, and for Communications, Networks, Content and Technology, focused on the European Innovation Council. The European Innovation Council was launched as a pilot under the eighth research and innovation framework programme, Horizon 2020, which included the creation of a dedicated entity for investments, the European Innovation Council Fund. The European Innovation Council became a fully-fledged programme under Horizon Europe (2021-2027 period), encompassing three schemes: Pathfinder (grants), Transition (grants) and Accelerator (grant-only, equity-only and blended finance support). Although internal controls for the European Innovation Council grant component (Pathfinder and Transition schemes) were adequately designed and implemented, the Internal Audit Service found critical and very important weaknesses in the governance and internal control systems for its Accelerator scheme. The weaknesses relate to the governance of the programme, the executive agency’s internal control environment in relation to the European Innovation Council, the transition to indirect management, reporting from the European Innovation Council Fund to the executive agency and the Directorate-General for Research and Innovation, inconsistencies in the conflicts of interest checks during the evaluation process, and information and technology services and tools related to the Accelerator scheme.
2. Another audit focused on the assessment of the control strategy implemented by the Directorate-General for Defence, Industry and Space in the management of the early stages of the European Defence Fund. Despite adequately designed controls, there was a significant weakness related to the implementation of the validation of the status of small and medium-sized enterprises and middle capitalisation companies.
Finally, two audits focused on the early stages of the implementation of the 2021-2027 multiannual financial framework:
3. Early implementation of the Connecting Europe Facility 2021-2027 programme by the European Climate, Infrastructure and Environment Executive Agency and the Directorates-General for energy and for Mobility and Transport, and
4. The preparedness of Directorate-General for Education, Youth, Sport and Culture to implement the 2021-2027 Erasmus+ programme.
The results (3) and (4) were satisfactory with no high residual risks or major weaknesses identified in the Commission Directorates-General and Services audited.
5. Cooperation with third parties implementing policies and programmes
Budget implementation tasks can be entrusted to Union bodies referred to in Articles 70 and 71 of the Financial Regulation. Currently, the landscape of EU decentralised agencies is diverse in terms of their governance structures, mandates and tasks. Considering the risks identified by the Internal Audit Service related to the Commission’s responsibility in cooperating with, monitoring and supervising these bodies, as well as last year’s first audits encompassing both Commission partner Directorates-General and EU decentralised agencies or other autonomous bodies, in 2022, the Internal Audit Service carried out two audits of a similar nature.
1. The first audit covered the cooperation mechanisms between the European Training Foundation and the Directorates-General for Employment, Social Affairs and Inclusion, for International Partnerships, for Neighbourhood and Enlargement Negotiations and for Education, Youth, Sport and Culture. The Directorates-General have put in place adequate processes to support their relations with the European Training Foundation. However, their effectiveness was found to be impaired by the lack of preciseness in the geographic mandate of the Foundation, which is mainly under the responsibility of the Directorate-General for Employment, Social Affairs and Inclusion.
2. The second audit covered the cooperation between the Directorate-General for Maritime Affairs and Fisheries and the European Fisheries Control Agency, and it found that the Directorate-General designed adequate, effective and efficient cooperation processes on activities related to compliance with international provisions under Article 30 of the Common Fisheries Policy Regulation.
6. Information technology
In view of heightened security concerns, legal obligations, Member States’ expectations, new user requirements, and a corporate approach to information management, the Commission adopted, in 2018, a Digital Strategy with the aim of bringing new innovative digital solutions to support its policies and activities. In this context, the Internal Audit Service conducted, in 2022, four audits on information technology.
1. The Directorate-General for Informatics has a central role in supporting and coordinating the implementation of the Commission’s Digital Strategy, in addition to delivering, in collaboration with the other Commission departments, several technical strands which are essential in promoting the digitalisation of the Commission. The audit on progress in the implementation of the Commission’s Digital Strategy revealed that although the Commission designed and implemented adequate control systems to oversee, manage and monitor the implementation of the European Commission Digital Strategy, there remains one significant weakness affecting its effective implementation. It concerns the guidance and support provided by the Directorate-General for Informatics to Commission departments to prepare and monitor the progress in implementing process digitalisation, the related actions of the digital solutions modernisation plan, and a digital delivery model.
Three audits assessing the design and implementation of information technology governance and management arrangements were conducted in four Directorates-General and services:
2. Migration and Home Affairs, and Justice and Consumers
3. Taxation and Customs Union
4. Secretariat-General.
The Internal Audit Service did not identify significant vulnerabilities through these audits.
7. Other processes
Two audits assessed performance aspects within other processes, namely physical security and human resources management.
1. The audit on human resources management in the Directorate-General for Economic and Financial Affairs did not reveal major weaknesses in the control system.
2. The audit on physical security identified several issues, which resulted in five very important recommendations.
As a European institution, employer and caretaker, the Commission has the responsibility to provide physical security measures for protecting its employees and safeguarding its assets. The overall responsibility for the protection of assets and persons for all Commission premises and staff is conferred to the Directorate-General for Human Resources and Security. The Internal Audit Service acknowledged that the security domain is challenging and complex. As new risks emerge, the security landscape changes, and the Commission services (particularly the Directorate-General for Human Resources and Security) must respond accordingly, without additional resources. Although the Commission has made progress in implementing adequate governance, risk management and internal control frameworks for physical security to protect its employees and safeguard its assets, a number of significant actions are still required to reach the necessary level of maturity. These relate to the governance framework to the risk management framework, and to the internal control measures.
2. Internal Audit Service limited conclusions
The Internal Audit Service issued limited conclusions on the state of internal control to all Commission’s Directorates-General and services19 in February 2023. These limited conclusions contributed to the 2022 annual activity reports of the Directorates-General and services concerned. Drawing on the audit work carried out in the last five years, they cover all open recommendations issued. The Internal Audit Service’s conclusion on the state of internal control is limited to the management and control systems that were audited. It does not cover systems not audited by the Internal Audit Service in the past five years.
3. Overall opinion on the Commission’s financial management
As required by its mission charter, the Internal Audit Service issues an annual overall opinion on the Commission’s financial management. This is based on the audit work in the area of financial management in the Commission carried out by the Internal Audit Service during the past three years (2020 to 2022). It also takes into account information from other sources, namely the reports of the European Court of Auditors. The overall opinion is issued at the same time as this report and covers the same year.
Based on this audit information, the internal auditor considered that, in 2022, the Commission had put in place governance, risk management and internal control procedures which, taken as a whole, are adequate to give reasonable assurance over the achievement of its financial objectives. However, the overall opinion is qualified with regard to the reservations the authorising officers by delegation made in their declarations of assurance issued in their respective annual activity reports.
In arriving at the overall opinion, the Internal Audit Service also considered the combined impact of all amounts estimated to be at risk at payment as these go beyond the amounts put under reservation. The overall amounts at risk at payment are the best estimation of the authorising officers by delegation of the amount of the expenditure authorised not in conformity with the applicable contractual and regulatory provisions at the time of the payment in 2022. In their annual activity reports, Directorates-General and services estimate amounts at risk at payment to total between EUR 2 722 million and EUR 3 294 million approximately. This corresponds to between 1.6% and 1.9% of total relevant expenditure20 from the Commission budget, European Development Fund and EU Trust Funds in 2022 and therefore below the materiality of 2% as defined in the instructions for the preparation of the 2022 annual activity reports.
These amounts at risk at payment in 2022 do not yet include any financial corrections and recoveries related to deficiencies and errors which the Directorates-General and services will detect and correct in the future due to the multiannual corrective mechanisms built into the Commission's internal control systems.
Given these elements, the Internal Audit Service considers that the EU budget is therefore adequately protected in total and over time.
Without further qualifying the overall opinion the Internal Audit Service emphasised the following matters.
1.Implementation of the EU budget in the context of unpredictable and repetitive crises
The health, social, economic and financial situation created by the COVID-19 pandemic and the subsequent crises (Russian war of aggression in Ukraine, energy crisis, inflation, migration) entails potentially high, cross-cutting risks for the institution as regards the implementation of the EU budget and the delivery of its policy priorities.
This includes the operations which are part of the 2014-2020 multiannual financial framework, for which adequate controls (ex post in particular) still need to be performed, and operations under the 2021-2027 multiannual financial framework and the recovery package under NextGenerationEU, on assurance, compliance and performance aspects.
To ensure the budget is duly protected over time in the face of the existing unprecedented challenges, the Internal Audit Service stresses that the Commission’s DGs and services should continue to (i) duly assess the risks caused by repetitive crises related to financial management in terms of assurance, performance, compliance with the legal framework, and the potential impact on the effectiveness of the Commission’s ability to implement corrective actions due to possible logistical constraints to undertake controls on the spot and the very challenging economic situation faced at EU and national levels (including the possible bankruptcies of final beneficiaries, which could make it difficult to recover undue amounts); and (ii) define and implement adequate mitigating measures, such as adjusting or redefining their control strategies.
2.Implementation of the Recovery and Resilience Facility
Measures to protect the EU budget also need to be further reinforced in the context of the implementation of the performance-based Recovery and Resilience Facility (RRF).
The Commission’s Directorates-General should:
a) continue to review, and, if necessary, further enhance, the design and implementation of the financial management systems and the audit and control strategies to ensure their adequacy,
b) apply effectively the framework for assessing milestones and targets and the Commission methodology for the determination of payment suspensions under the RRF Regulation adopted on 21 February 2023. These key elements of the control strategy provide clarity about how the Commission will interpret and apply in practice the notion of “satisfactory achievement” as set out in the RRF Regulation, in cases where certain milestones and targets for a particular payment request have not been met either in full or in part. As the related framework and methodology are new and have, on the one hand, to allow a degree of flexibility and, on the other hand, to ensure an equal treatment of very complex and diverse situations, the Commission should review and amend them as it gathers more experience with their application.
In addition, due attention should continue to be given to ensure that effective control systems are in place as concerns the primary responsibility of the Member States and the specific responsibilities of the Commission in relation to other elements of compliance (i.e. protection of the financial interests of the Union in the case of non-compliance with EU and national rules, in particular regarding the prevention, detection and correction of fraud, corruption, double funding and conflicts of interest or a serious breach of an obligation resulting from the Loan or Financing Agreement). In this context, the availability of information on the use of funds concerning measures for the implementation of reforms and investment projects under the recovery and resilience plans is very important at national and EU levels for the purpose of audit, control and the fight against fraud, as well as for political stakeholders. Therefore, the Commission has to continue its actions to ensure that Member States collect and provide access to standardised categories of data related in particular to final recipients of funds, contractors and subcontractors where final recipients of funds are contracting authorities and beneficial owners of the recipients of funds or contractors (see detailed requirements in Article 22(3) points d) and e) of Regulation (EU) 2021/241). In this context, the Commission should take all necessary measures to ensure that Member States compile and publish information about the top 100 final recipients of RRF funding as required by the revised RRF Regulation.
3. Supervision strategies to ensure the sound financial management for the implementation of policies and programmes by third parties
Over the last years, the Commission has introduced new, innovative financial schemes and instruments which complement the traditional management modes. Their implementation requires the intervention of third parties, like in the case of shared and indirect management. These parties include financial institutions, international organisations, national authorities and national agencies in Member States, third countries, joint undertakings, and EU decentralised agencies. The Commission entrusts or delegates tasks to these third parties some of which imply decision-making responsibilities. This entails specific challenges and risks for the Commission, as also highlighted by the European Court of Auditors.
Irrespective of the instrument and the management mode used to implement EU policies, the Commission remains fully responsible for ensuring the legality and regularity of expenditure and sound financial management, as well as the achievement of policy objectives.
In order to fulfil their overall responsibilities, the DGs have to define and implement adequate, effective and efficient mechanisms for supervision, monitoring and reporting. They aim to ensure that the delegated entities and other partners effectively implement the programmes, adequately protect the financial interests of the EU, comply with the delegation agreements, when applicable, and that any potential issue is identified and addressed as soon as possible. Actions have been taken in recent years to mitigate the risks identified as a result of audit work, in particular in the area of indirect management, but further improvements are still needed as regards the supervision and monitoring of new, innovative financial schemes and instruments. This is relevant not only in relation with the closure of activities delegated under the 2014-2020 multiannual financial framework, but more so in view of the increase in the use of equity, guarantee and risk sharing instruments in the 2021-2027 multiannual financial framework.
5. Consultation with the Commission’s financial irregularities panel21
No systemic problems were reported in 2022 by the panel set up pursuant to Article 143 of the Financial Regulation, where it gives the opinion referred to in Article 93 of the Financial Regulation.
6. Mitigating measures for potential conflicts of interest (international internal auditing standards) — Investigation of the European Ombudsman
The current Director-General of the Internal Audit Service, Internal Auditor of the Commission, Mr Manfred Kraff, took office on 1 March 2017. Mr Kraff was previously Deputy Director-General and Accounting Officer of the Commission in the Directorate-General for Budget.
In line with international audit standards (22), on 7 March 2017, following his appointment as Director-General and Internal Auditor, Mr Kraff issued instructions on the arrangements to be put in place to mitigate and/or avoid any potential or perceived conflicts of interest in the audit work of the Internal Audit Service in relation to his former responsibilities. These arrangements were prolonged in 2018, 2019, 2020, 2021, 2022 and in 2023, through instruction notes, issued by Mr Kraff, to all Internal Audit Service staff. According to the arrangements, Mr Kraff shall not be involved in the supervision of audit work relating to operations for which he was responsible before joining the Internal Audit Service. In such cases, the supervision of the audit work ultimately falls under the responsibility of Mr Mason, Director in the Internal Audit Service (Directorate B, Audit in Commission, Executive Agencies, EU Agencies and other autonomous bodies II).
The arrangements also state that the Audit Progress Committee is informed of these instructions and of their implementation and that Mr Mason would refer to the Audit Progress Committee for the assessment of any situation that may be interpreted as impairing Mr Kraff's independence or objectivity. In those cases, Mr Kraff would refrain from any supervision of the audit in question.
The Audit Progress Committee took note of the continuation of these arrangements during its January 2023 (preparatory group) meeting.
1
The report does not cover the European Peace Facility, decentralised European agencies, the European External Action Service or other autonomous bodies audited by the Internal Audit Service, which receive separate reports.
2
Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012OJ L 193, 30.7.2018.
3
The audit reports finalised in the period 1 February 2022 to 31 January 2023 are included in this report.
4
Communication to the Commission, Mission Charter of the Internal Audit Service of the European Commission, C (2022)8450 final of 28 November 2022.
5
For details, see Communication to the Commission, Charter of the Audit Progress Committee of the European Commission, C(2020) 1165 final of 27 February 2020. The Charter of the Audit Progress Committee was updated in 2020 to take account of the 2019—2024 Commission entering into office on 1 December 2019 and changes in the Committee’s membership.
6
The Internal Audit Service audit universe of the Commission includes in total 51 organisational entities. For some of these entities, more than one final audit, review or consulting report was issued in 2022. See the Staff Working Document accompanying this report for a detailed overview of entities for which final audit and review reports were issued.
7
One very important recommendation and one important recommendation were only partially accepted by the auditee. Management accepted the remaining residual risk.
8
8Three very important recommendations were rejected; this refers to the same recommendation addressed separately to three audited Directorates-General and services, in the scope of one multi-entity audit. Management accepted the residual risk.
9
Out of 858 recommendations issued in 2018-2022, 852 recommendations were fully accepted, two were partially accepted and four were rejected.
10
The chart shows the rating of the recommendations at the cut-off date. This may differ from the rating in the original audit report because, in the context of a follow-up audit, the Internal Audit Service may assess that the actions taken by the auditee partly mitigated the risks initially identified and therefore the rating of the recommendation was downgraded.
11
In total, the Internal Audit Service carried out 28 performance and comprehensive audit engagements. For more details see the annex.
12
In addition to the Commission Directorates-General and services, the audit also covered the Clean Aviation Joint Undertaking, which is an EU autonomous body and therefore falls outside the scope of this report.
13
14 out of a total of 48 very important recommendations issued in 2022 (29%).
14
In line with the administrative arrangements between the Commission and the European Anti-Fraud Office, the scope of the audit did not cover issues which fall under the European Anti-Fraud Office Director-General’s independence of its duties with respect to investigations. The audit work regarding the European Anti-Fraud Office consisted of a review of documents without going into the investigative activities, and of interviews with relevant staff. It resulted in no finding or recommendation for the European Anti-Fraud Office.
15
18 out of a total of 48 very important recommendations issued in 2022 (38%).
16
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1.
17
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39.
18
The Education and Culture Executive Agency, the European Innovation Council and Small and Medium-sized Enterprises Executive Agency, the European Climate, Infrastructure and Environment Executive Agency, the Research Executive Agency, the European Research Council Executive Agency.
19
Except for three Commission Directorates-General/services. The Directorate-General for European Health Emergency Preparedness and Response Authority and the European Health and Digital Executive Agency were set-up in 2021 and therefore no limited conclusions could be provided for these entities. No audits were carried out in the advisory service Inspire, Debate, Engage and Accelerate Action during the 2018-2022 period, as no high risks were identified, and therefore no limited conclusion was provided.
20
Expenditure means the total amount of payments made in 2022 minus the total amount of new pre-financing paid in 2022 plus the total amount of old pre-financing cleared in 2022 as reported by the Commission services in their 2022 annual activity reports.
21
Since the entry into force of the 2018 Financial Regulation the functions of all institutions’ financial irregularities panel have been transferred to the Early Detection and Exclusion System Panel referred to in Article 143 of the Financial Regulation.
22
The international standards referred to in Article 117 of the Financial Regulation on the appointment of the Internal Auditor (International Standards for the Professional Practice of Internal Auditing), state that ‘If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.’ (Standard 1130). Moreover, the standards state that: ‘Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.’ (Standard 1130.A1).
EN EN